An authorization method using provisioned certificates is disclosed. The method includes writing security attributes to fields within a certificate and issuing the certificate to a software application on a principal node. The software application requests to perform actions on one or more resources on a resource node, sending one or more action requests along with a copy of its certificate. The resource node has an agent which verifies the permissions from the certificate and routes the request to its designated resource. The resource node returns one or more messages to the principal node, verifying whether or not complete the requests.
Legal claims defining the scope of protection, as filed with the USPTO.
1. A method for authorizing actions on one or more resources, the method comprising: (a) receiving, at a resource node, one or more requests for performing an action on one or more resources held by the resource node and a certificate embedded with one or more security attributes, wherein the one or more security attributes comprise information about one or more resources allowed to be accessed and information about a permitted action associated with the one or more resources allowed to be accessed; (b), verifying, with aid of one or more processors at the resource node, the one or more security attributes from the certificate, and dispatching the one or more requests to the one or more resources based on the information about the one or more resources embedded in the certificate; and (c) authorizing one or more actions on the one or more resources based at least in part on the one or more requests and the information about the permitted action embedded in the certificate.
2. The method of claim 1 , wherein the certificate is issued by a certificate authority.
3. The method of claim 2 , where issuing the certificate comprises: receiving the certificate signing request from a requesting entity; verifying, by accessing a policy database, that the requesting entity is authorized to perform one or more actions on one or more resources; and returning to the requesting entity a signed certificate with one or more security attributes including resource information and the one or more actions.
4. The method of claim 3 , wherein issuing the certificate further comprises: sending a certificate signing request to a third-party certificate authority; and receiving a signed certificate from the third party certificate authority.
5. The method of claim 1 , wherein the certificate further comprises an identity of the requesting entity and an issuant.
6. The method of claim 5 , wherein the certificate further comprises a time bound for performing the one or more actions.
7. The method of claim 1 , wherein the one or more security attributes further comprise information about a name of a resource, and an address for the resource within a resource node.
8. The method of claim 1 , wherein the permitted action comprises one or more members selected from a group consisting of create, read, update, delete, execute, and write.
9. The method of claim 5 , wherein the identity of the requesting entity and the issuant are used for authentication check.
10. The method of claim 1 , wherein the one or more resources are selected from a group consisting of a database table, a REST endpoint, and a remote function call.
11. The method of claim 10 , wherein the one or more resources comprise a selected portion of a database or a REST endpoint.
12. The method of claim 1 , wherein the certificate is a standard x509v3 certificate.
13. The method of claim 12 , wherein the one or more security attributes is embedded in the Subject Alternative Name (SAN) field of the certificate.
14. The method of claim 1 , wherein the resource node and the requesting entity are in a cloud environment or a mobile environment.
15. The method of claim 1 , wherein the resource node and the requesting entity are in a hybrid environment.
16. The method of claim 1 , further comprising sending an approval message if the requesting entity is authorized to perform the one or more actions on the one or more resources.
17. A system for authorizing actions on one or more resources comprising: an agent running on a resource node, wherein the agent is configured to: receive, from a principal node, one or more requests for performing an action on one or more resources held by the resource node and a certificate embedded with one or more security attributes, wherein the one or more security attributes comprise information about one or more resources allowed to be accessed and information about a permitted action associated with the one or more resources; verify the one or more security attributes from the certificate; and dispatch the one or more requests to the one or more resources based on the information about the one or more resources embedded in the certificate; and a certificate authority configured to issue and provision the certificate to the principal node.
18. The system of claim 17 , wherein the certificate authority is provided on a management controller.
19. The system of claim 18 , wherein the management controller further comprises a policy database that is remote to the resource node.
20. The method of claim 1 , wherein (b)-(c) are performed without accessing a policy database.
Cooperative Patent Classification codes for this invention. Click any code to explore related patents in that topic.
October 29, 2018
March 9, 2021
Browse 5M+ US patents with plain-English claim translations and AI-generated analysis.